Shulou(Shulou.com)06/03 Report--

Kubeadm Management Certificate

Before managing certificates, you need to know how kubernetes uses PKI certificates: official documentation

Check the expiration time of the certificate

Check-expiration can be used to check when the certificate expires:

Kubeadm alpha certs check-expiration

Output the following

CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDadmin.conf Oct 06, 2020 03:56 UTC 364d no apiserver Oct 06, 2020 10:41 UTC 364d no apiserver-etcd-client Oct 06, 2020 03:55 UTC 364d no apiserver-kubelet-client Oct 06 2020 03:55 UTC 364d no controller-manager.conf Oct 06, 2020 03:56 UTC 364d no etcd-healthcheck-client Oct 02, 2020 12:14 UTC 361d no etcd-peer Oct 02, 2020 12:14 UTC 361d no etcd-server Oct 02, 2020 12:14 UTC 361d no front-proxy-client Oct 06 2020 03:55 UTC 364d no scheduler.conf Oct 06, 2020 03:56 UTC 364d no

This command shows the expiration / remaining time of all certificates, including the client certificates in the etc/kubernetes/pki directory and the client certificates (admin.conf,controller-manager.conf and scheduler.conf) embedded in the KUBECONFIG file by kubeadm.

Note:

Kubelet.conf is not included in the list above because kubeadm has configured it to update automatically. Kubeadm cannot manage certificates signed by an external CA. Automatic renewal of certificate

Automatic renewal means that all certificates are updated automatically when the control plane is upgraded with kubeadm.

If there is no requirement for certificate renewal and the kubernetes version is upgraded regularly with an interval of less than 1 year, it is a best practice to upgrade the cluster frequently to ensure security.

If you do not want to renew the certificate when upgrading the cluster, pass the parameter to kubeadm upgrade apply or kubeadm upgrade node:-- certificate-renewal=false

Renew the certificate manually

You can renew the certificate manually at any time using the kubeadm alpha certs renew command, which updates the certificate using the CA (or front-proxy-CA) certificate and key stored in / etc/kubernetes/pki.

In the case of a HA cluster, it is executed on all control planes.

The kubeadm alpha certs command explains:

Available Commands: certificate-key generates certificate and key check-expiration detects certificate expiration time renew renews the certificate of Kubernetes cluster

The most frequently used renewal subcommand for renewal certificates, now let's take a look at the command help:

Root@k8s-master:~# kubeadm alpha certs renew-hThis command is not meant to be run on its own. See list of available subcommands.Usage: kubeadm alpha certs renew [flags] kubeadm alpha certs renew [command] Available Commands: admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself all Renew all available certificates apiserver Renew the certificate for serving the Kubernetes API apiserver-etcd-client Renew the certificate the apiserver uses to access etcd apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet controller-manager .conf Renew the certificate embedded in the kubeconfig file for the controller manager to use etcd-healthcheck-client Renew the certificate for liveness probes to healtcheck etcd etcd-peer Renew the certificate for etcd nodes to communicate with each other etcd-server Renew the certificate for serving etcd front-proxy-client Renew the certificate for the front proxy client scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to useFlags:-h -help help for renewGlobal Flags:-log-file string If non-empty, use this log file--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)-rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. -skip-headers If true, avoid header prefixes in the log messages-- skip-log-headers If true, avoid headers when opening log files-v,-- v Level number for the log level verbosity

As you know above, you can renew a certificate by specifying a certificate and specify all

All certificates are renewed.

After the command is executed, note:

Regardless of the expiration time of the certificate, it will be renewed unconditionally for one year. The SAN and other information of the certificate is based on the original certificate and does not need to be provided again. After the renew is executed, the control plane component needs to be restarted for the changes to take effect.

The kubeadm alpha certs command only supports v1.15 and above.

Example: renew the certificate of apiserver manually-apiserver.crt

From the above detection, we know that the current apiserver.crt expiration time is Oct 06, 2020 03:55 UTC, with 364 days left.

1. Perform a renew update:

Root@k8s-master:~# kubeadm alpha certs renew apiservercertificate for serving the Kubernetes API renewed

two。 Restart the control plane:

Restarting kubelet will automatically recreate the core components

Systemctl restart kubelet

3. Verify:

Root@k8s-master:~# kubeadm alpha certs check-expirationCERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDapiserver Oct 06, 2020 10:41 UTC 364d no

The expiration time of the apiserver certificate has changed, but not by one year, but by one year from the time you successfully executed the renew.

If you want to renew all certificates for one year, execute:

Kubeadm alpha certs renew all uses external CA to renew certificates

Issuing a certificate through an external CA requires kubeadm to generate a CSR to submit to CA.

1. Generate CSR and private key:

Kubeadm alpha certs renew apiserver-- csr-only-- csr-dir / tmp/apiserver.csr--csr-only: only CSR is generated. -- csr-dir: where the generated CSR and private key files are saved, by default in / etc/kubernetes/pki

two。 View CSR and private key:

The CSR and private key are provided in the command output.

Root@k8s-master:~# ls / tmp/apiserver.csr/apiserver.csr apiserver.key

3. Use this private key to request a certificate on the CA.

Copy the issued certificate and private key to the PKI directory / etc/kubernetes/pki.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.